Compliance Management is a comparison of the Organization's adherence to an authoritative source, with an ongoing programme of review, and appropriate course of action, to increase the Organization's level of compliance to the source. 

The "authoritative source" referred to above can be documents such as legislation, regulations, standards, Organizational policies, or simply best practice guidelines.
   
 
Although the RiskComp application is capable of being used to manage Compliance against most authoritative sources, the Expertise currently available focuses on the International standard ISO 17799, the "Code of Practice For Information Security".

ISO/IEC 17799:2005 is the latest version of this standard, and is recognised globally as the standard for Information Security Management, containing the "best practice" guidelines for the implementation of information security controls in all Organizational sectors, and for all sizes of Organization.

The RiskComp approach to Compliance Management closely relates to the Plan-Do-Check-Act model used in the ISO and British standards for Information Security.

Scope Of Assessment

ISO 17799 addresses a range of issues surrounding Information Security and its management. Some Organizations, particularly those which are large, will probably not want to complete a single compliance exercise, but will complete several exercises. Each of these may focus on a specific area of the standard, specific information system, application, or even physical location, much in the same way as a risk management exercise. 

The Scope of Assessment identifies exactly what is being assessed within a specific survey. This reduces the opportunity for the scope to be too high level or too broad, and thus ensures the assessment remains focused. By obtaining relevant information, it guides the assessor into defining the scope of assessment regardless of their knowledge or previous experience of the process.

Compliance Assessment

The Scope of Assessment will generate one or more detailed questionnaires for completion in the Compliance Assessment. Each questionnaire focuses on a specific Clause of the ISO 17799 Standard, and is structured to only obtain the most relevant information based on the scope of the assessment.

Unlike a risk assessment exercise, which links the risks to the potential impacts, a RiskComp compliance assessment analyses an Organization’s implementation of this authoritative source, identifies those specific elements that are not in place, and provides recommended actions for the issues raised.

Issue Management

Once the ISO 17799 compliance assessment has been completed, the Organization will have a list of areas (categories) with an associated compliance level indicator (score), and a list of the possible actions (recommendations) that will increase the level of compliance to ISO 17799.

RiskComp provides tools to effectively manage these non-compliance issues, and to track the progress made, and actions taken, to increase the level of compliance to an acceptable level.
2006 © RiskComp Ltd. All rights reserved. Read Legal policy and Privacy policy.